Application in Nt Native Api

This is a discussion on Application in Nt Native Api within the A Brief History of Cprogramming.com forums, part of the Community Boards category; Well, We are trying to build an application using NT Native Api.
This application is for to delete some files ...

Application in Nt Native Api

Well, We are trying to build an application using NT Native Api.
This application is for to delete some files used by a trojan, with most
popular AV donīt detect here and also donīt delete the main files.
The problem is:
This trojan install a .sys(Image sys Driver) with protects, all files used
by trojan to be deleted in boot process.
In other way, we cannot change any information from the registry, about this
trojan, because in Windows Environment, this trojan have a dll hooking any
change into their registry values, blocking the changes and in some cases,
rolling back any changes, we try to do, and of course, we cannot delete
those files, because, this dll, protectīs all yours owns files, including
the .sys file.
We try to insert a function native from NT, such as NTUnload, but donīt
work, I think because the driver donīt have a section with instructions to
unload the driver.
We can delete this files using NTDeleteFIle from NT Native Api, in our
executable, because the driver from trojan load before US, blocking the
function and we see a message(STATUS_SHARING_VIOLATION). So, we donīt have
any ideas to delete this files, they donīt infect any otherīs files, they
only intall Yours own files to monitoring PC activity and to try get Bank
Information.
So we donīt have more any ideas how we can delete the files.

Can someone help us?

By the way, if is needed, we can send here, or in private e-mail our source code, witch we try to delete this files, who we build a smaller application
in NT Native Api.

And the trojan dll use winlogon.exe to still in memory, but when we try to
close winlogon, they use System to stay in activity. we try to stop the
service, but we allways receive a information we do not have rights to do
this action, and I beliave, they donīt have a function STOP in the main dll
from Services. All steps was testing in Windows Environment also in Safe
Mode environment donīt work.

Information.

We like to build a solution, not using 3rd party.
We cannot block execution, because they have a dll and this dll still hooking the system, blocking any attemps to delete, block, rename, averything we can do it was tested, so we begin to build a Application usingo Nt Native Api.
But, anyway, thanks for Your replies, but we need a help in NT Native Api.

Unfortunately, unless you can find a way to "unhook" this driver [which I doubt there is an API to do that - as hooking is generally done by simply putting new values in the relevant dispatch tables], you are not going to be able to "attack" it by driver code, NT API or otherwise, since it will [as I understand it from what you've written] use various hooks to prevent itself from being removed.

The native API is still just the internal representation of, mainly, the external API function calls - it is not some sort of silver bullet that allows you to do things you can't use with the external API.

To be more especific!

Anyone can please, contribute with an example to use ZwWriteFile/NtWriteFile
procedure? I think maybe I can in boot proccess change the trojan file content
to another one to stop himself to work.
The file accesses should be "\\??\\C:\\PROGRA~1\\UNT\\UNT.DLL".

If you have no rights to open that file with write access, there's no difference whether you use NtWriteFile or WriteFile.

Like matsp said, NT api does not help you to bypass OS security or limitations. It may help you to implement a few things differently than WinAPI does it, but not much - it certainly doesn't help with denied access.

If you have no rights to open that file with write access, there's no difference whether you use NtWriteFile or WriteFile.

Like matsp said, NT api does not help you to bypass OS security or limitations. It may help you to implement a few things differently than WinAPI does it, but not much - it certainly doesn't help with denied access.

The first hit I got in Google describes how the function works fairly well - if you do not understand how to use that information, you are most certainly not ready to write driver-level code - that is NOT beginner stuff.